Page 180 - Cyber Defense eMagazine June 2024
P. 180
exclusively rely on predefined scripts and rules to analyze malware, interactive sandboxes enable
analysts to manually interact with the malware and manipulate its environment.
Interactive sandbox interface
Thanks to interactivity, analysts can perform a wider range of activities that can benefit their
investigations. These involve copying from and pasting to the VM, downloading and running additional
files, using a web browser, and even rebooting the system. This approach provides a more
comprehensive understanding of the malware's behavior, functionality, and intent.
Let’s look at the situations where such an approach proves more effective than the automated one.
Scenario 1: Complex Evasion Techniques
Some malware exhibits behavior that automated sandboxes may struggle to analyze. Such behavior
usually concerns the need for human interaction on the part of the user, which is hard to perform in an
automated solution. Interactivity allows analysts to engage with the targeted system as they would on an
actual computer.
● Steganography: Consider the steganography technique, which attackers have employed in
many campaigns over the past year. One of the most common implementations of this
method involves hiding malicious code inside an image. An interactive sandbox enables
analysts to manually extract such content and view its details. Check out this analysis of a
stegocampaign, where an image with a base64 encoded executable was used.
Cyber Defense eMagazine – June 2024 Edition 180
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
